Those hoping to find out who won in the Goode/Perriello race will have to wait a while longer—until around Christmas, if the 2005 recount in the Creigh Deeds/Bob McDonnell race for attorney general is any guide. Historically, the best source of data has been straight from the SBE, rather than from third parties like CNN, etc., so those are the numbers to look at. Though at this moment Goode is up by a hundred-odd votes, we’re in the territory where minor adjustments from precinct officials can and will toss the race back and forth. Following this from hour-to-hour will drive you nuts.

That said, many of us are bound and determined to be driven nuts. And to that end, electronic voting expert and UVa professor Bryan Pfaffenberger provides an explanation of what we’re seeing here today:

I just did an analysis of the changes due to Veris [the new (and controversial) state voter registration database system] malfunction (?). In Danville, Tom Perriello’s vote totals (”original value”) were REDUCED by 308, while Virgil Goode’s vote totals were INCREASED by 1819.

I do not understand why vote totals would have been affected by VERIS “going down after midnight,” as the VBE update page states. It seems the system is used to report vote totals. So precincts were able to report vote totals before midnight (presumably, these are the “original values”), but were prevented from finishing until this morning, when (it seems) the system was rebooted. Why, then, would vote totals have been decreased as well as increased?

There will certainly be a recount, and that recount will require volunteers from both campaigns to go stomping around in sheds and barns to witness the audit of the voting equipment over the course of a half a day. If you want to help, get in touch with your candidate of choice and offer to observe come the appointed day. I did it for Sen. Deeds, and have volunteered to do the same for Tom Perriello.

Those of y’all who are as eager to keep up with the fluctuations of numbers as I am are welcome to post the changing numbers here as they settle down in the coming days.

Does anyone know where AP, CNN, the networks, etc get their data? I’ve been watching the SBoE site since last night, thinking that if anyone would have the “official” tally, it would be them, but the other sources on the net always seem to have differing totals. I don’t quite understand – especially at this stage of the game – how that can be…?

* Although I don’t have time to scan the whole page, I believe that the problem labelled “VERIS went down at midnight and changed totals” occurred only in Danville City.

* The changes subtracted 308 from Perriello’s “original value” and added 1,809 to Goode’s. It is not clear what “original value” means in this context.

* Although significant changes were made to the 5th District Congressional election tallies for Danville, only minor changes (concerning write-in votes) were made to the presidential and senate races. These, too, were attributed to “VERIS went down at midnight and changed totals.” Oddly, VERIS seems to have refrained from mangling the votes cast for Obama, McCain, Warner, and Gilmore.

I am confident that there is a reasonable explanation for the data VBE is reporting and there is no reason to suspect foul play. Because the changes are of a magnitude sufficient to alter the election’s outcome, though, I believe VBE should explain what happened. I would add that VBE would be wise to find an alternative to VERIS; no well-designed database system should scramble data, even in the event of an unforeseen failure.

I have been worried about this since they started with those fucking things. Recount? How can we do a recount? What’s the POINT of doing a recount if there’s nothing to re-count?

The voter pushed a button. The machine went “beep.” That’s it: no paper trail, no audit, no nothing.

The software in these machines appears to have been programmed by chimpanzees. Study after study has shown alarming rates of switched votes, garbled data, NEGATIVE vote counts…

I don’t care how much we spent on these things. Throw them the fuck out and get paper ballots, or people will lose faith in the electoral process, and with it, the whole concept of a representative democracy.

With electronic voting machines, there is nothing to audit and nothing to recount. You can make up any number you want and say it’s the tally, and no one can prove or disprove a thing. With or without wrongdoing, it doesn’t matter, the result is the same. The count is unverifiable.

In somewhat less strong language than Hawkins Dale used, but no weaker sentiment: people, you need to press your demands for auditable voting! It is not our “elected officials” who have failed us here, it’s the sheeple who have accepted electronic voting! Yesterday I used a paper ballot and saw people saying “no, I’ll vote electronically.” Now THAT is a vote thrown away. Even the paper ballot I used yesterday wasn’t good enough: it didn’t permit me to verify that my votes were scanned correctly.

Oh, and one last thing: there’s a place for electronic voting machines to make the process faster and more efficient (but only with a verifiable paper trail!) but there’s no place for closed-source voting machines in a democratic republic.

Keeping an eye on the SBE changes list, I see some big changes in Nelson. Perriello just gained 1 in Montebello, 100 in Schuyler, 1 in Lovingston, and 6 in absentee. Goode gained 2 in absentee, for a net of 106 for Perriello in Nelson.

It would be easy to build an electronic voting machine with a backup system. A simple roll of paper that is punched with a pattern just like the old computer tapes that were done to load the programs on the first computers. Setup on a reel to reel inside the machine. That way you could take the reel to a reader and play back the vote or if need by count by hand. It’s just too simple to do I guess.

The problem with complicated voting technology is that we only use it once or twice a year so it takes a long time to get the bugs out. Those big mechanical booths were OK because municipal workers knew them.

Good cheap technology is the commodity stuff. No one is likely to build a voting machine as reliable as $99 cash register from Staples. I even guessed the price right before looking on Staples.com. That proves it!

For things like this, state gov’ts are just fishfood for private vendors.

Because you cannot be allowed to walk out of the voting place with a record of how you voted, to stop voter intimidation.

A good and proper safeguard. So… you vote electronically and a receipt is printed out. You check the receipt to be sure that it accurately reflects your vote. You then deposit that receipt in a box before leaving the polling place.

You’re not walking out with a receipt and those printed receipts provide a back-up, in case something goes wrong with the machines or as a double-check in the event of a recount.

but why can’t it print off a copy, and then the printed off copy gets dropped in a “receipt box” for recounts?

Or, you do a paper ballot, but you get to test scan it, so if you didn’t bubble in enough of the box, then you know and can fix it. Or if you forgot to vote for one of the categories, then you can fix it and re-scan the ballot. And you can see the results of the scan. Its like a Target when you go up to one of the “test scanners” to check what the sale price is. Once you’ve test scanned your ballot and approve of it, then you can turn it in to the official scan machine/ballot box.

I think if you could verify your vote online, then I can’t see the voter intimidation thing being an issue.

After all, if your employer is forcing you to go online and reveal your vote, then what’s to stop him from forcing you to go online and transfer all your funds to his bank account? Seems like you’d have a whole range of issues if that were the case…

I agree though that walking out with a printed copy would have to be optional, with a mechanism to not print, or print and destroy.

Think simplicity. Very few people in th IT industry believe high tech is a good solution for this application. Except those in the sales dept. Forget all those seemingly-smart schemes of printed receipts etc.

Right now the simplest systems in the US seem to be scan sheets and markers.

Canada votes on paper and counts it by hand. How many voting snafus do you hear about in major countries outside the US?

But Canada must always face the danger of hucksters snookering them into US-style beeswax. To wit:http://papervotecanada.blogspot.com/
“Electronic and Internet voting are a danger to democracy. This blog is dedicated to preserving the existing Canadian paper-based, hand-counted voting system.”

Elsewhere, you stated that you had heard that the data entry problem involved the accidental, duplicate entry of results from a heavily Democratic precinct in place of the correct results for several other precincts. There is no evidence whatsoever in the numerical data available on VBE’s web site in support of this assertion. If it were true, one would expect that many of the “original values” would be identical.

You also assert that the data entry error is separate from the VERIS glitch, in spite of the plain fact that the VBE Web page attributes the data alteration to “VERIS went down at midnight and changed totals.” Your assertion is also contradicted by the equally plain evidence that, throughout the page describing changes to vote tallies, changes resulting from data entry errors are common and are expressly labeled “data entry error.”

Lastly, if a heavily Democratic precinct’s tally was mistakenly submitted in place of the results for other precincts, one would expect the tallies for President/Vice President and Senate to require correction, as well. As can be seen on the VBE site, there are errors attributed to VERIS for these races in the Danville precincts, but they are limited to a few write-in votes.

With respect, I find no reason whatsoever to find your assertions credible, as they have been voiced. Perhaps you could try again.

Lonnie, you’re right about the intimidation, but consider the opposite scenario: What if I am willing to pay ten bucks for every vote for me?

Under your system, it’s possible for me to verify that you did vote for me, and so it’s worth it for me to pay you.

Not good.

This is why secret balloting is a cornerstone of democracy.

Paper ballots, scanned by machines, and then retained in sealed boxes for recounts and audits, is how most modern countries vote. Except for the countries that don’t bother with the scanners: it’s pretty easy to just COUNT THEM (although that works best when there’s one choice per ballot).

My question is, does the following accord with the trends you observed prior to midnight?

“The race became an unexpected roller coaster ride around midnight Tuesday when a glitch in Danville took Goode’s lead and gave it to Perriello, temporarily confounding pundits who had anticipated Goode to easily beat his challenger.

Danville Registrar Peggy Petty said her staff had correctly entered all the votes from city precincts, but when a staffer tried to enter more than 2,500 absentee votes into the State Board of Elections’ computer system, the system booted her off.

When she later accessed the system to try again, she noticed that the system had scattered the absentee numbers throughout several precincts, making their totals wrong.

The office gave up trying to restore the right numbers around 2 a.m. yesterday, said Petty. “We were so angry we couldn’t see straight.”

Goode’s lead was restored — temporarily — when Danville corrected the numbers at 8 a.m. yesterday. More re-checking and rulings on provisional ballots narrowly swung the lead back to Perriello in the afternoon.”

Here is my question.

Wasn’t Tom in the lead before midnight? If so, it could not have been the VERIS glitch that gave the lead to Perriello.

I would like to add that no professionally designed database system would scatter data among several data tables, even in the event of an unplanned service outage. Those familiar with relational database design will realize that an error of this type is not only unlikely, but in most architectures, it is impossible. If indeed occurred, it strongly suggests that the VERIS system is so incompetently designed that it should be immediately removed from service.

You are absolutely right, Bryan. I watched the numbers from 8:30pm until 12:45pm, reloading the SBE web page every 3-15 minutes (with a half-hour gap in which I was driving home), and Perriello was in the lead at all times.

You know, when we get to our polling places, the first thing we do is trade in our name for a voting number. Why couldn’t this polling number become our ID for the rest of the process? We could double-check this number against any sort of vote database. It would not be a “name,” but it would satisfy all of the same needs.

There was a point last night when the numbers for Periello jumped substantially in Danville.

I had been checking the results regularly, and then got swept up in the presidential results.

When I checked them again about 1 am, I was surprised at how large the Danville lead was. Periello had been ahead all evening, but not by the substantial percentage they were reporting late last night/early this morning.

My initial story was coming via the grapevine from a local county chair who heard it from a southside party chair who heard it from one of the people who had been counting ballots. So, a game of telephone which is then posted on the internet–you’d think those years I taught middle school would have taught me something, eh?

What happens if they can’t decide this thing? Would there be recount after recount, or do we at some point have Kaine calling the winner?

There’s no such thing as not deciding it, luckily. The results will be certified in a couple of weeks, and at that time a recount will be requested. That will take about a month. As others have pointed out here, the “recount” would be bullshit, basically. Electronic voting consists of an integer that increases by one with each person’s vote. As these devices generally exist, there are no ballots to be hand-tallied, no backup paper receipt to review for each device. So really the “recount” will simply involve making sure that the SBE’s tally for a precinct matches the total from all of the machines. That may result in some small differences, maybe even a dozen or two dozen votes, but any change more than that is pretty unlikely. Obviously, what emerges from that process is somebody with more votes, and that’s the person who wins.

But imagine that there’s a tie. It’s hugely unlikely, but it could happen. Then there’s a simple solution—a coin toss. I seem to recall Scottsville settling an electoral in just such a manner a few years ago.

Now, lawsuits could make things a mess. As with George Bush’s lawsuit in 2000, in which he successfully sought to stop any further counting of votes, either candidate might gin up some grounds on which to prevent any further counting. Or if there was evidence of fraud or impropriety, there might be a lawsuit in order to toss out the results from a precinct, say. That would certainly throw a spanner into the works.

But, like I said, odds are that somebody will have more votes, and that’ll be the person who wins.

The Bush v. Gore decision went something like “if we wait for the local courts, something unfair is likely to happen, and we don’t want to come back to try to fix it. But this case does not set precedent for any other case.” Essentially it acted as a trier of fact, a major no-no for an appeals court.

There will be many paper ballots to recount, in addition to the electronic nonsense. My precinct offered a choice, paper or plastic. People actually waited in line to vote electronically, while there were 5 booths for paper users open. I guess they thought it was like using the handicapped bathroom.

Does anyone recall by how much Perriello was in the lead BEFORE midnight? I think it was something like 700 or 800 votes, but I didn’t copy down any figures. It will really be helpful to know — please post whatever you’ve got.

Although I admire you guys musing over fixing something as complex as a voting system through simple blog comments, rest assured that there are people who are much smarter than all of us who have come up with real bulletproof solutions to all of these problems.

What do I mean? Quite simply: Cryptography can provide verifiability while maintaining ballot security.

The voting system first must convince you your vote was recorded correctly, yet not give you enough information to provide it to a “coercer” even if you WANT TO. The problem is providing enough information, but not too much.

Up until now, we drop our vote in a “black box” (be it a literal box or a computer) at which point it is shaken up and voter identity and verifiability is lost forever. This is the only way to maintain ballot secrecy in our current system. This means we must rely on chain of custody for security. There is plenty of evidence that this security is flawed. (e.g. boxes of ballots found floating in the ocean)

We must have secrecy, and we must have better than chain of custody security.

Here is what we need. “Alice” wants to verify her vote. Everyone wants to verify the tally. Alice cannot be coerced to reveal her vote by anyone even if she chooses to do so.

Cryptographically, this is solved with “zero knowledge proofs”.

There are many cryptographic voting protocols out there that can achieve all of these goals. My personal favorite is “scratch and vote”. Explaining it here in full detail would be nearly impossible. Luckily you can read all about it here:

I know you wont read that fully, and that this is technically complicated… so here is my explanation put as succinctly as I can manage.

The basic idea is that you get 2 paper ballots containing a random order of candidates on one side of a perforation, on the other side are blank checkboxes that line up with them. Below the checkboxes is a unique encrypted barcode that contains the order of the candidates on the other half of the ballot. Below that barcode is another perforation with a “scratch off” section with the randomization factor for the encryption barcode above it. This allows you to pick one of the two ballots to audit by scratching off the bottom and scanning it to verify that its the correct encryption of the order of candidates. This gives you a 50/50 chance that your ballot contains the proper encryption. In aggregate even in the smallest precinct any tampering would be discovered. You could use 1000 audit ballots if you want but that would become cumbersome and is not needed.

Now you trust your ballot contains an accurate encryption of your vote. You go in the voting booth, check off the box next to your candidate, then tear off the other side with the randomly ordered list of names and throw it away. You now have a piece of paper with just checkboxes and an encrypted barcode and an un-scratched-off barcode. You then show it to the election officials who verify that you did not scratch off the second barcode, which is then torn off and destroyed publicly. You go home with the card with checkboxes and an encrypted barcode, the encryption randomization factor for which was destroyed. This means that even if you wanted to, you couldn’t prove to a coercer who you voted for since even you can’t decrypt the barcode. Two people may both have the same box checked, but since the list of candidates was random, they could have voted for different candidates or even the same candidate. There is no way to know.

You go home and want to know if your vote actually counted (what a concept!) There is a public bulletin board containing all of the ballots. You go check to see if your ballot is there and if the box(es) checked and the barcode both match. Basically once you verified at the polling place that it really is an encryption of your vote through the scratch-off audit, its now nothing more than a “fedex tracking number” for your vote.

Your barcode is encrypted with an el gamal algorithm which has the amazing property of being able to multiply encrypted data blocks together. A modified version of el gamal can be made to ADD encrypted information which is KEY. This means that you can add up all these encrypted blocks without decrypting them individually. Once you have one big encrypted block… we can decrypt it (through a distributed private key system) and then get a finaly tally.

There is another issue… sometimes people aren’t very comfortable with the fact that you only get the aggregate vote at the end of the day. They want individual ballots to remain intact.

There are solutions that preserve the individual ballots. The class of protocols that do this are called mixnets. A mixnet is composed of a number of mixservers run by mutually distrusting parties. Its sort of like having each political party shake up the ballot box, and since everyone had a turn they all know that nobody knows which vote went where. The problem is they are unique ciphertext values. So if you just take a whole bunch of unique values and shuffle them, they’re still unique and identifiable. So we have to modify them along the way. This is done by “onioning” the encrypted votes in layers of encryption for each mix server. First its encrypted with the last mixserver’s public key, then the middle mixserver’s public key, and then the first mixserver’s public key. So the outputs don’t look anything like the inputs at each point in the process. Then at the end, out comes the anonymized votes and we can all count them. The mixserver process is mathematically auditable at every step without actually revealing information about how someone voted or creating a path all the way through the mix thus ensuring anonymity while still ensuring that your vote is in there somewhere. The final decryption and tally process can also be audited with mathematical techniques. ANYBODY can do this auditing, the voters, the newspapers, the political organizations. Anyone can look at this data and make sure it happened correctly.

The true beauty of this is that at every step along the way the protocol used can be implemented with proprietary code. Code it in cobol for all we care. We can still audit it without seeing into the source code. This means companies that develop these systems can still keep their code proprietary without removing any auditability and without the ability to commit fraud at any point.

Why this has not been adopted I do not know. Yes, it is complex and even if you yourself can’t audit it fully, you can find someone to do it for you. Anyone can do it… all you need to do to audit this is read a lot of books. I think this is a better system than having to be part of an appointed few in order to do an audit.

Here’s a little off-topic glitch I heard about. It seems that there were 3 people statewide who, when they received their passcode for the electronic voting machine, were given a number that let them vote ONLY for the presidential candidate of their choice. Once they had done that, the only choice the machine gave them was ‘cast your ballot’. This happened to a friend of mine and he was told that the VEC would not accept provisional ballots in these cases. So, he wasn’t able to vote in the Senate or House races.

Anyone else heard of anything like this happening? What I don’t understand is why this would even be an option, unless one of the options on the ballot in the presidential race was to vote a straight party ticket. I don’t remember that being an option here.

Voting machines in Virginia have the option to cast ballots in A)all applicable races (federal, state, and local), B)federal(congressional and presidential) races only, and C) presidential race only. I was a poll worker on election day and with the machines that we had in our precinct, we would have to select which ballot a voter was going to vote on after we activated their ballot. If I remember correctly (and I may be wrong) someone may vote on a presidential-only or a federal-only ballot if they have recently moved from one state to another and their are registration issues. I don’t remember the exact reasons and I don’t know why someone would get a presidential or federal ballot when they qualify for that. I have a feeling it was probably human error. Hope that clarifies things a little.

Yes that happened to me. I voted in Charlottesville on an eSlate, and I only got the presidential election. Since I had used the machine before, I was very cautious not to hit “cast ballot,” but it made me pretty nervous when the first two poll workers decided to press every button on the machine because they thought a button might be sticking. The first poll worker said he’d get me more help, but didn’t, he just went back to directing voters to their booths. I didn’t want to leave my booth, and my uncast ballot, to get help, but I was able to flag down another worker. Finally, one of the poll workers decided that they needed to issue me a new access code and cancel my original ballot. I was very discouraged that all the poll workers seemed so unfamiliar with the machines. The first two didn’t even know it was possible to get an incomplete ballot. All three of them at different points “just pressed buttons” on my machine to try and figure out where the missing races were, and/or to figure out how to “cancel” my ballot. And, as someone who has accidentally deleted an entire memory card, instead of a single photograph, I was a little nervous about what would happen when the poll workers found a “Cancel” button to click.

I’m grateful that there are people working the polls, but I think they should be better trained on the machines. I didn’t like feeling like a guinea pig, and I didn’t get a secret ballot

What happens if they can’t decide this thing? Would there be recount after recount, or do we at some point have Kaine calling the winner?

Actually, the Constitution provides us with some guidance on this question. According to Article I, Section 5, “Each House shall be the Judge of the Electios, Returns and Qualifications of its own Members”.

It will be the House of Representatives who will, ultimately, decide who they will seat.

‘Canvass’ is a reference to the process that takes place the day after the election (Wednesday morning in most localities). The three members of the local Board of Elections, with observers from each party, and usually with the registrar in attendance, open the results packet from each precinct in their locality. They read off and record the numbers from the precinct officials’ statement of results, and make sure that they add up, that numbers are not transposed, etc.

Mistakes are discovered in this process, and changes that result are flagged as resulting from the canvass. Results after the canvass are ‘official’, as compared with the unofficial election night results, which are the numbers that precinct officials call in to the registrar/board of elections.

The case of the presidential-only ballots is most likely an error on the part of the precinct worker who entered an incorrect number to activate your ballot on the machine.

All localities have to provide a presidential-only ballot for the use of people who are registered to vote elsewhere but move into a different locality after the registration cutoff. Federal election law provides that no one who’s duly registered can be deprived of their right to vote for president. This is the first presidential election with the electronic machines for many Virginia localities, and programming the presidential-only ballot proved quite difficult for some registrars/BoEs.

There are numbers set aside to activate those ballots, and a typing error could result in the precinct worker setting up a pres-only ballot when a regular ballot was intended. Most voters — including many people with long election experience — have no idea that the presidential-only ballot option even exists. But as you found, the solution when this happens is to get the precinct worker at the table to void the ID they gave you and start over with a new one. No amount of messing with the machine itself will correct it; that wastes time and risks a worse screw-up.

I just brought in my Perriello yard signs… maybe I should put ’em back out to stir up the vibe.

Meanwhile, there’s a group, VerifiedVoting.org, that’s working to pass legislation requiring a paper-trail receipt for voting machines. Easy to sign up, the leader is Alice Whealin, an artist up in DC… she’s a hero. There’s a lot of information available and notices of action in the state.

So why is it that Diebold and other companies have a huge installed base of reliable and accurate ATM machines and self-service gas pumps that can successfully transact complex operations AND give a paper receipt, but voting machines can’t?

This falls into the category of, “We can put a man on the moon, so why can’t we build a working adding machine that will count votes and give us a receipt?”

Pat, the various precincts are correcting tabulation errors as well as counting all of the provisional and absentee ballots that were not counted on Tuesday. These ballots seems to be overwhelming tilted towards Tom.

This makes the Charlottesville look like a 3rd world country (or Florida).
Worse it makes it look bad for the fairness of the election to sudden find 100’s of votes.
I’m NOT saying anybody did anything wrong, just it makes a city run by democrats look like some no counting chumps. Sorry but this kind of counting error days after the election makes me want to fire somebody.

I don’t know why the votes weren’t counted initially. Carelessness or fatigue? (Kinda scary.) Or was it the metaphorical equivalent of holding a chair for a person and pulling it back when he sits down?

I’m now satisfied that the account given by Danville election officials of the VERIS election-night “glitch” and their response accords with the available evidence. Although I of course do not know all the facts, it seems clear that they had to deal with a horrible situation — a state database system that scrambled data randomly across a series of precincts. And I am increasingly confident that they did so with an unflinching, tireless commitment to get the numbers right.

At the same time, I hope that readers of this blog — and those who have followed the extraordinary events that occurred after midnight on election night — will not soon forget the evidence of the VERIS system’s dysfunctionality. No private-sector firm would EVER tolerate a mission-critical database that scrambles data as the result of a service outage, and leaves their staff frantically trying to reconstruct the scrambled data. Should the citizens of our Commonwealth settle for any less?

There are signs aplenty that Virginia’s new registration and vote tallying system is a disaster — one that threatens the integrity of our democratic processes. When the story is finally told of what transpired in Danville, I think we’ll be proud of our election officials for their having made the best of an appalling situation. And we’ll have a long series of questions about the VERIS project.

Bryan Pfaffenberger
STS, UVa*
—————–
*Just to make this clear… I am speaking here as an individual; my views are mine alone and not those of the University of Virginia

I agree that the remark is funny, but I would claim that Lars’ solutions are useful only as “brainstorming”. I’m thinking of my neighbors on 5th St here on the edge of Fifeville. They just aren’t going to trust systems as complicated as Lars describes.

@Lars
These are not solely technical problems; they are political problems. It’s useful and helpful to think of better solutions to the technical challenges involved, but the real problem is one of trust. Should the voters trust the voting system, and do they? Only the first half of that question is amenable to technical attack.

In a carefully worded story, and not citing specific sources, WTVR reports that forensic evidence belonging to Jesse Matthew Jr., the main suspect in the disappearance of Hannah Graham, matches forensic evidence collected during the investigation of Morgan Harrington’s 2009 murder. #

Both Charlottesville Registrar Sheri Iachetta and former Electoral Board member Stephanie Commander have turned themselves in to the police on four six and four felony counts of embezzlement, respectively. #

The Architectural Review Board has approved a bike-themed mural on West Market, below the McGuffey Art Center, although at least one member expressed concerns that it might look like the bicyclists were riding away from Charlottesville’s downtown. #